What is claimed is: 



1 . A method of designing a password-based authentication and key exchange protocol 
using a zero-knowledge interactive proof, comprising: 

a first step of setting various kinds of system parameters required for authentication; 

a second step of a user selecting a certain random number (r, x) in conformity with the 
set parameters, and sending to a server a message including a user ID, a test number 
(A=OWF(r)) to which a one-way function (OWF) is applied, and a first question number 
generation value X known only to the server and the user; 

a third step of the server sending to the user a message including an authentication 
Auth of whether the server possesses a public key, and a second question number generation 
value Y known only to the server and the user; 

a fourth step of the user authenticating the server by verifying the authentication Auth, 
computing a resultant value c of a secret coin tossing known only to the server and the user 
and a session key SK in a general zero-knowledge proof, and sending to the server a witness 
number B for user authentication; and 

a fifth step of the server that stores a password verifier (V=OWF(f(P)) for the 
respective user verifying the witness number B using the test number A, the password verifier 
V, and the value c, and exchanging the session key SKby computing the session key SK. 

2. The method as claimed in claim 1, wherein the witness number B is sent to the 
server using the value c, the random number r, and its own password P. 

3. The method as claimed in claim 1, wherein the user authenticates the server by 
confirming whether the server possesses the password verifier. 
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4. The method as claimed in claim 1, wherein if the one-way function is based on an 
RSA problem, the password verifier is V=[f(P)" 1 ] e mod n, where n=p*q(p and q are RSA 
fractions, e (fraction) is a public key, and f(P) is a function for expanding the password P into 
lg(n) bits. 

5 . The method as claimed in claim 1, wherein the witness number B is B=r*f(P) c 
mod n, where c=H(TSK||A), TSK=H(K'||0), K-[V _1 (X)] y , K^HCKI^Hg^IDuserlllDserver, and 
H( ) is a hash function. 

6. The method as claimed in claim 1, wherein authentication of the witness number B 
is performed using B e *V c =A mod n, where c=H(TSK||A), TSK=H(K'||0), K=[V" 1 (Y)] X ? and 

K^H(Ki|g X |ig y ||ID User ||IDserver). 

7. The method as claimed in claim 1, wherein if the one-way function is based on a 
discrete logarithm problem, the password verifier is V=a" F(p) mod p, where a is a generator of 
Z* q , p is a fraction, and f(P) is a function for expanding the password P into lg(n) bits. 

8. The method as claimed in claim 1, wherein the witness number is B-r+f(P)*c mod 
q, where c=H(TSK||A), TSK=H(K'||0), K=[V'(X)] y , K'=H(K||g x ||g y ||ID User ||IDserver, and H( ) 
is a hash function. 

9. The method as claimed in claim 8, wherein authentication of the witness number B 
is performed using a B V c =A mod p, where c=H(TSK||A), TSK=H(K'||0), K=[V , (Y)] X ) and 

K^HCKIIgfUgyillDuserlllDserver). 
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10. The method as claimed in claim 1, wherein if the one-way function is based on a 
prime factorization problem, the password verifier is [VHfCP+l)" 1 ] 2 mod n, V 2 =[f(P+2)" 1 ] 2 
mod n, V 3 =[f(?+3)' l f mod n, V k =[f(P+k)" 1 ] 2 mod n, V=H(V b V 2 , ...,V k )], where n=p*q(p 
and q are RSA fractions), and f(P) is a function for expanding the password P into lg(n) bits. 

11. The method as claimed in claim 1, wherein the witness number is 



where c=H(TSK||A), TSK=H(K'||0), K-[V 4 (X)] y , K , -H(K||g x |ig y ||ID User ||IDserver, and 
H( ) is a hash function. 

12. The method as claimed in claim 11, wherein authentication of the witness number 
B is performed using 



where c=H(TSK||A), TSK=H(K'||0), K=[V" l (Y)] x , K^HCKI^Hg^IDuserlllDserver, and c, 
is an i-th bit. 

13. The method as claimed in claim 1, wherein the server makes a random challenge 
transmitted for authentication from the server to the user known only to the server and the 
user to defend against an offline dictionary attack. 



B = r*f] f ( p+i ) Ci 
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